Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Privacy Security The Internet

A New Hidden Way of Web Browser Profiling, Identification and Tracking (theregister.co.uk) 72

Researchers from Austria's Graz University of Technology "have devised an automated system for browser profiling using two new side channel attacks that can help expose information about software and hardware," reports The Register.

The researchers recently presented a paper titled "JavaScript Template Attacks: Automatically Inferring Host Information for Targeted Exploits," which The Register says "calls into question the effectiveness of anonymized browsing and browser privacy extensions... "

Long-time Slashdot reader Artem S. Tashkinov shared their report: One of the side-channel attacks developed for JavaScript Template Attacks involve measuring runtime differences between two code snippets to infer the underlying instruction set architecture through variations in JIT compiler behavior. The other involves measuring timing differences in the memory allocator to infer the allocated size of a memory region.

The boffins' exploration of the JavaScript environment reveals not only the ability to fingerprint via browser version, installed privacy extension, privacy mode, operating system, device microarchitecture, and virtual machine, but also the properties of JavaScript objects. And their research shows there are far more of these than are covered in official documentation. This means browser fingerprints have the potential to be far more detailed -- have more data points -- than they are now.

The Mozilla Developer Network documentation for Firefox, for example, covers 2,247 browser properties. The researchers were able to capture 15,709. Though not all of these are usable for fingerprinting and some represent duplicates, they say they found about 10,000 usable properties for all browsers.

This discussion has been archived. No new comments can be posted.

A New Hidden Way of Web Browser Profiling, Identification and Tracking

Comments Filter:
  • Sensationalism (Score:2, Informative)

    by Anonymous Coward

    "calls into question the effectiveness of ..."

    Yeah ok a new exploit doesn't mean everything done up till now wasn't effective against other tracking methods.

    And you can still turn JavaScript off.

    • by Z00L00K ( 682162 )

      Noscript helps a bit, but the best way to see how bad it is can be done by using https://amiunique.org/ [amiunique.org]

  • by Anonymous Coward

    A template attack is when you take a piece of code, called the template, and then run it and note down timings and such. If you then run it in a different environment, different timings compared to your template might reveal information about the environment you might not otherwise have access to. Also, slight tweaks to the template might result in very different timing changes in different environments.
    All in all I think the impact of this study is limited. Yes, there are a staggering number of properties,

    • by Anonymous Coward

      I note that once more this is a thing that slows down computers. I wonder why internet browsing now requires 8 gigs of ram, the web hasn't changed much since 5 years ago, it's text images and media files. What changed is the amount of data profiling done with JS.

      When I turn off JS using noscript I can happily browse with my 15 yo computer.

  • by Anonymous Coward

    Not just disable javascript, but also not to use browser-based applications, period.

  • by Anonymous Coward

    "JavaScript Template Attacks:

    Yet again... something that only works if you volunteer to run code delivered by the attacker.

    How many JS exploits and vulnerabilities and fingerprintings does it take before we learn not to take any shit that's thrown our way and run it?

    It's time to reboot the web. Remove all the shit. Make it simple, and secure.

  • Timing randomization would defeat all time measurement-based attacks, because there would be zero correlation between two of the same identical calls.

    • Exactly. I thought some browsers were already implementing timing randomization to address concerns of this sort. Perhaps I’m misremembering?

  • ... it seems obvious that a method that is a news item in The Register and /. is not something "hidden". Also within TFP (that is The Fucking Paper

    There are many legitimate reasons to prevent tracking and identification, and for certain groups, such as journalists or whistleblowers, it is in many cases even vital. However, for criminal actors, it is undoubtedly also beneficial to prevent tracking and unique identification. Thus, browsers such as the Tor browser are also heavily used for criminal activities [60], [17]. The anti-fingerprinting methods ensure that users can- not be tracked across websites, preventing deanonymization through the user's usage pattern of websites [57]. Thus, a tackers trying to reveal the identity of such users cannot rely on simply tracking a user with fingerprinting.

    we see serious attempt in FUD. I am eagerly waiting the day a new "Law Enforcement Tool" based on this paper to hit the market at a steep cost to tax payers, preferably Austrian tax payers only...

  • I'm reading Slashdot. I must me somewhat geeky. Got my ham license in 1967 and enjoyed working Morse Code (Hams refer to it as "cw" for continuous wave, a description of its unmodulated carrier).

    One summer eve a few friends and I went from our apartments in Queens to the Village. As we walked down St. Marks Place music played from the various record stores on the block. And then I heard it.

    The song, "Miss Morse" by Pearls Before Swine is reasonably banal.

    Oh Dear, Miss Morse

    I want you

    Oh yes, I

  • by gweihir ( 88907 ) on Sunday June 16, 2019 @07:05PM (#58773396)

    That is the main reason this is even a problem. Sure, executing code given to you from some untrusted source is and will remain a very bad idea. That is the reason why any kind of active content in browsers is a very bad idea in the first place: You have to have an isolated execution environment that is very resistant to attack. Personally, I don't think the practice of coding (i.e. implementing these sandboxes) will be mature enough to deliver that in the required strength for at least the next few decades. In the meantime, browsing with JS active remains a significant risk.

    • by bobby ( 109046 ) on Sunday June 16, 2019 @08:04PM (#58773588)

      My first posts on /. were to rant about javascript. Fast-forward- I don't hate javascript, but I hate what the browser and OS are willing to do.

      I agree- even a sandbox can't protect against these attacks.

      How about a network stack module that scans for any kind of browser info in sent packets, and replaces it with garbage, or some otherwise anonymizing data?

      • by Bite The Pillow ( 3087109 ) on Sunday June 16, 2019 @11:26PM (#58774018)

        Having a randomizer is an additional fingerprinting data point, especially if it is not baked in to the top 60%+ of browsers.

        Disabling JavaScript is another data point, but it reduces the attack surface so much that the other data points almost disappear. A trade off I have been comfortable with since 2003 or so.

        Yes I write JavaScript, yes the execution environment is a bit special case. But at home JS doesn't exist.

        • by gweihir ( 88907 )

          Randomizers may help some. You will still get that fingerprint, but it takes a lot longer. I think the actual browser-identification is mostly a red herring though, because if, say, 10% of the deployed browser/version combination is susceptible to a specific attack, attackers will just try it and not care about the failed ones. We are not really talking targeted attacks here after all, but cheap automated ones.

          Disabling JS is definitely a good idea.

    • Comment removed based on user account deletion
      • by gweihir ( 88907 )

        Indeed. That is why for e-banking, I have a VM with just that application (it is essentially a customized web-browser) and nothing else and an encrypted disk. Somebody investing effort will still get into that, but an automated attack will not.

    • by Anonymous Coward

      Personally, I don't think the practice of coding (i.e. implementing these sandboxes) will be mature enough to deliver that in the required strength for at least the next few decades.

      Try not mature enough ever. All it takes is one bug or oversight and your browser, email client, or any other program, is compromised. Never mind the fact that a lot of these web sites are pulling untrustworthy code from 3rd parties, and the AD networks themselves. You can't expect trustworthy code from a site who's sole source

    • by Anonymous Coward

      Agreed. Especially now, when the main client code out there is dominated by a huge advertising company whose interests may not be completely aligned with the user's.

      What miffs me most is that the web "programmers" are so idiotic as to require active content in places where it's totally unnecessary. Poster child is NASA's website [nasa.gov], which shows as a black hole for javascript-disabled browsers. Epic fail.

    • by AmiMoJo ( 196126 )

      Executing code in the browser is a great idea, because the alternative is far worse.

      Remember when everyone was getting infected because they downloaded some free screensaver or porn app? Much better to have Javascript running in a well tested sandbox, itself running in another sandbox, with ACLs and OS controls on top. A sandbox that doesn't even have the capability to "do you want to allow CLICK YES TO CONTINUE to make changes to your computer?"

      Web apps and mobile apps have done more than anything else to

      • by gweihir ( 88907 )

        Well, as somebody with a total of 1 benign spyware despite running Windows for a long time without a virus-scanner, I cannot really judge this. But I see your point. Lets just say it has gone from "extremely bad" to "bad". Maybe web-assembler will finally fix things by giving a good motivation to at least make that sandbox watertight.

  • by JustAnotherOldGuy ( 4145623 ) on Sunday June 16, 2019 @07:39PM (#58773490) Journal

    Privacy might not be dead but it's currently on life support and things aren't looking good. They're typing up the obituary now.

    Browser fingerprinting, license plate readers, cameras everywhere, facial recognition, bluetooth beacons and snooping, GPS tracking, cell tower tracking...and those are just the ones I can think of off the top of my head.

    Yeah, if you want privacy, go move to a hut in the Appalachian mountains and trap gophers for dinner. Gotta eat 'em raw because your cooking fire will give away your location with its heat signature.

  • by Anonymous Coward

    Back around the late 90s the DoD released a paper about side channel attacks. It's conclusion: too slow to exploit. Today we have Spectre and Meltdown, who wud of thunk.

    Back then, I said nope and immediately turned off JavaScript in all browsers (except turned on for a handful of trusted sites, but never for general web browsing). If a page won't load without JavaScript, chances are there is another site that will having the same (mis)information.

    Pro-tip: if you didn't pay for the content, it isn't the p

  • Thank you I'll be here all week. Try the fish!

The truth of a proposition has nothing to do with its credibility. And vice versa.

Working...